Microsoft’s President Makes the Case For A “Digital Geneva Convention”

In case you missed it, Microsoft’s Brad Smith makes an interesting suggestion in MIT Tech Review for a “Geneva” convention on cyber-security, and idea I have floated in our Security 50 CISO forum. Some excerpts:

In recent years, computing and security companies have uncovered or been the victims of malware and network attacks that appear linked with military or intelligence agencies. Smith told an audience at the world’s largest security conference Tuesday that international diplomacy is needed to mitigate the negative effects on private companies and citizens.

…

“Nation-state hacking has evolved into attacks on civilians in times of peace,” said Smith at the RSA Conference in San Francisco, echoing the language of the Geneva Convention. “We need to call on the world’s governments to come together [as] they came together in 1949 in Switzerland.” Smith, who is also Microsoft’s chief legal officer, has recently lobbied for legal reforms to update privacy and security protections for the Internet era (see “Microsoft’s Top Lawyer Becomes a Civil Rights Campaigner“).

Smith’s Proposed Requirements

3. Report vulnerabilities to vendors rather than stockpile, sell, or exploit them.

4. Exercise restraint in developing cyberweapons and ensure that any developed are limited, precise, and not reusable.

5. Commit nonproliferation activities to cyberweapons.

6. Limit offensive operations to avoid a mass event.

…

Smith’s sentiments about the importance of diplomacy in tackling what is often seen as a technical problem were echoed Tuesday by Michael McCaul, chair of the House Homeland Security Committee.

Countries would always differ in their attitudes on privacy and security, but coördination is necessary to prevent cyberattacks causing serious harm, said McCaul, also speaking at RSA. “The U.S. should be engaging with overseas partners,” he said. “We must develop clear rules of the road when it comes to cyberwarfare.”